Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 7652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is this traffic being blocked?

shred

There's a list of entries in my firewall log of traffic being 'Denied' but I'm not sure what's causing it and why it's being blocked.

Here's a screenshot of the firewall log:

Here's the detailed description from one of the entries:

2018-08-24 15:12:59Firewallmessageid="00002" log_type="Firewall" log_component="Firewall Rule" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="9" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="12" appfilter_policy_id="10" app_name="" app_risk="0" app_technology="" app_category="" in_interface="Port1" out_interface="" src_mac="[removed]" src_ip="172.16.16.20" src_country="" dst_ip="66.58.255.17" dst_country="" protocol="UDP" src_port="52177" dst_port="443" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

Here's a screenshot of firewall rule 9:

The destination IP addresses appear to be Google's main page. My only guess is because there's no 'Out Interface' defined, so the traffic is being blocked because it's not matching any Zones I have defined in my firewall rules.

Any ideas?



This thread was automatically locked due to age.
  • 0

    Hi Shred,

    part of the answer is there is no output port because the transactions are going out through the http proxy. Also appears to be blocked because the packets have no size, though I am not sure about that bit.

    Ian

  • +1 in reply to rfcat_vk

    Hm, interesting - all of my traffic should be going through the http proxy because I have Scan HTTP enabled and a web policy, so I’m not sure that’s it.

    Thinking about this, it’s UDP going to a destination of port 443... I think this is traffic being blocked because I have ‘Block Google QUIC’ selected in my firewall rules. I’m also guessing since it’s being blocked, it never makes it to the ‘Out Interface’ thus it’s showing up in the logs with the ‘Out Interface’ blank.

  • 0 in reply to shred

    Hey Shred,

    my original, answer still stands. Below is line from my XG.

    Firewall Rule
    Allowed
    ians-mbpl
    2
    Port1
    		  
    192.168.21.41
    184.106.2.168
    62497
    443
    TCP
    2
    00001

     

    Ian

  • 0

    Hi Shred,

     

    protocol="UDP"

     

    that's why it's not going through the Proxy. :-)

    Can you please post the Details of the rule.

     

    Regards

     

    Alex

  • 0 in reply to Alexander Fuchs

    Hey Alex,

    There's a picture of the firewall rule in my first post. It's a very basic rule that basically sits at the bottom of my firewall rules.

    I'm 99% sure this traffic being blocked is because I have 'Block Google(QUIC)' selected on my firewall rules.

  • 0 in reply to shred

    One thing I don’t quite understand is why I’m seeing these entries in my log. The reason being is because I have a firewall rule with logging turned off that my devices should be hitting above the firewall rule that is causing these entries. Here’s basically what I’m referring to:

    - I have an iPad defined as a MAC Host in Sophos XG (i.e. “My iPad”).

    - I have one firewall rule that allows LAN to WAN on certain services which “My iPad” is assigned to (logging disabled).

    - I have another firewall rule that allows all from LAN to WAN for all services and devices (logging enabled) - this rule sits below the rule above.

    - Both of these firewall rules have “Block Google(QUIC)”.

    If I understand Sophos XG correctly, it’s assessing firewall rules from top to bottom and once a rule is matched, it stops there. So in the example above, when I’m using my iPad and Google QUIC attempts to be used, it should be blocked since I have that enabled and should no longer be assessed against any other firewall rules. However, what appears to be happening is it’s moving to the next firewall rule it matches which in this case, is the allow all I have setup.

    Any ideas?